From 704a162345eb5077c2d92de5fb68a6e8ab691ce2 Mon Sep 17 00:00:00 2001
From: lalka2016 <99399973+lalka2016@users.noreply.github.com>
Date: Thu, 18 May 2023 16:14:50 +0300
Subject: [PATCH] Fixes
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Исправил уязвимость когда можно было сделать репост в группу с закрытой стеной, теперь при репосте меняется число на самом сайте и ещё что-то
---
 ServiceAPI/Groups.php                         |  5 ++--
 VKAPI/Handlers/Wall.php                       |  2 +-
 Web/Models/Repositories/Clubs.php             | 25 ++++++++++++-------
 Web/Presenters/WallPresenter.php              |  8 ++++--
 .../components/post/microblogpost.xml         |  4 +--
 .../templates/components/post/oldpost.xml     |  4 +--
 Web/static/js/openvk.cls.js                   | 18 +++++++++----
 7 files changed, 43 insertions(+), 23 deletions(-)

diff --git a/ServiceAPI/Groups.php b/ServiceAPI/Groups.php
index 2b429eee..28f4b321 100644
--- a/ServiceAPI/Groups.php
+++ b/ServiceAPI/Groups.php
@@ -18,9 +18,10 @@ class Groups implements Handler
     {
         $clubs  = [];
         $wclubs = $this->groups->getWriteableClubs($this->user->getId());
+        $count  = $this->groups->getWriteableClubsCount($this->user->getId());
 
-        if(count(iterator_to_array($this->groups->getWriteableClubs($this->user->getId()))) == 0) {
-            $reject("You did not created any groups");
+        if(!$count) {
+            $reject(122, "You don't have any groups with write access");
 
             return;
         }
diff --git a/VKAPI/Handlers/Wall.php b/VKAPI/Handlers/Wall.php
index 82fbf1c7..41af5c0d 100644
--- a/VKAPI/Handlers/Wall.php
+++ b/VKAPI/Handlers/Wall.php
@@ -475,7 +475,7 @@ final class Wall extends VKAPIRequestHandler
             if(!$club->canBeModifiedBy($this->user))
                 $this->fail(16, "Access to group denied");
             
-            $nPost->setWall($group_id*-1);
+            $nPost->setWall($group_id * -1);
         } else {
             $nPost->setWall($this->user->getId());
         }
diff --git a/Web/Models/Repositories/Clubs.php b/Web/Models/Repositories/Clubs.php
index 8a346a91..41084d58 100644
--- a/Web/Models/Repositories/Clubs.php
+++ b/Web/Models/Repositories/Clubs.php
@@ -1,6 +1,6 @@
 <?php declare(strict_types=1);
 namespace openvk\Web\Models\Repositories;
-use openvk\Web\Models\Entities\Club;
+use openvk\Web\Models\Entities\{Club, Manager};
 use openvk\Web\Models\Repositories\{Aliases, Users};
 use Nette\Database\Table\ActiveRow;
 use Chandler\Database\DatabaseConnection;
@@ -9,11 +9,13 @@ class Clubs
 {
     private $context;
     private $clubs;
+    private $coadmins;
     
     function __construct()
     {
-        $this->context = DatabaseConnection::i()->getContext();
-        $this->clubs   = $this->context->table("groups");
+        $this->context  = DatabaseConnection::i()->getContext();
+        $this->clubs    = $this->context->table("groups");
+        $this->coadmins = $this->context->table("group_coadmins");
     }
     
     private function toClub(?ActiveRow $ar): ?Club
@@ -73,17 +75,22 @@ class Clubs
 	
     function getWriteableClubs(int $id): \Traversable
     {
-
-        $result    = DatabaseConnection::i()->getConnection()->query("SELECT * FROM `groups` WHERE `owner` = $id ORDER BY `id`;");
-        $coadmins  = DatabaseConnection::i()->getConnection()->query("SELECT * FROM `group_coadmins` WHERE `user` = $id ORDER BY `user`;");
+        $result    = $this->clubs->where(["owner" => $id]);
+        $coadmins  = $this->coadmins->where(["user" => $id]);
         
         foreach($result as $entry)
-            yield $this->get($entry->id);
+            yield new Club($entry);
         
         foreach($coadmins as $coadmin)
-            yield $this->get($coadmin->club);
+            $cl = new Manager($coadmin);
+            yield $cl->getClub();
         
     }
-	
+
+    function getWriteableClubsCount(int $id): int
+    {
+        return sizeof($this->clubs->where(["owner" => $id])) + sizeof($this->coadmins->where(["user" => $id]));
+    }
+
     use \Nette\SmartObject;
 }
diff --git a/Web/Presenters/WallPresenter.php b/Web/Presenters/WallPresenter.php
index 9d59ab59..928026f8 100644
--- a/Web/Presenters/WallPresenter.php
+++ b/Web/Presenters/WallPresenter.php
@@ -382,6 +382,10 @@ final class WallPresenter extends OpenVKPresenter
                 $nPost->setWall($this->user->id);
             } elseif($where == "group") {
                 $nPost->setOwner($this->user->id);
+                $club = (new Clubs)->get((int)$groupId);
+
+                if(!$club || !$club->canBeModifiedBy($this->user->identity))
+                    $this->notFound();
                 
                 if($this->postParam("asGroup") == 1) 
                     $flags |= 0b10000000;
@@ -389,7 +393,7 @@ final class WallPresenter extends OpenVKPresenter
                 if($this->postParam("signed") == 1)
                     $flags |= 0b01000000;
                 
-                $nPost->setWall($groupId*-1);
+                $nPost->setWall($groupId * -1);
             }
 
             $nPost->setContent($this->postParam("text"));
@@ -403,7 +407,7 @@ final class WallPresenter extends OpenVKPresenter
         };
 		
         $this->returnJson([
-            "wall_owner" => $where == "wall" ? $this->user->identity->getId() : $groupId*-1
+            "wall_owner" => $where == "wall" ? $this->user->identity->getId() : $groupId * -1
         ]);
     }
     
diff --git a/Web/Presenters/templates/components/post/microblogpost.xml b/Web/Presenters/templates/components/post/microblogpost.xml
index 2f2fc2f1..9dca593d 100644
--- a/Web/Presenters/templates/components/post/microblogpost.xml
+++ b/Web/Presenters/templates/components/post/microblogpost.xml
@@ -96,9 +96,9 @@
                         <a n:if="!($forceNoCommentsLink ?? false) && $commentsCount == 0" href="javascript:expand_comment_textarea({$commentTextAreaId})">{_comment}</a>
                         
                         <div class="like_wrap">
-                            <a n:if="!($forceNoShareLink ?? false)" class="post-share-button" href="javascript:repostPost('{$post->getPrettyId()}', '{rawurlencode($csrfToken)}')">
+                            <a n:if="!($forceNoShareLink ?? false)" id="reposts{$post->getPrettyId()}" class="post-share-button" href="javascript:repostPost('{$post->getPrettyId()}', '{rawurlencode($csrfToken)}')">
                                 <div class="repost-icon" style="opacity: 0.4;"></div>
-                                <span class="likeCnt">{if $post->getRepostCount() > 0}{$post->getRepostCount()}{/if}</span>
+                                <span class="likeCnt" id="repostsCount{$post->getPrettyId()}">{if $post->getRepostCount() > 0}{$post->getRepostCount()}{/if}</span>
                             </a>
 
                             {if !($forceNoLike ?? false)}
diff --git a/Web/Presenters/templates/components/post/oldpost.xml b/Web/Presenters/templates/components/post/oldpost.xml
index dcbee4f6..a5255b3c 100644
--- a/Web/Presenters/templates/components/post/oldpost.xml
+++ b/Web/Presenters/templates/components/post/oldpost.xml
@@ -107,10 +107,10 @@
                         &nbsp;|&nbsp;
                     {/if}
                     
-                    <a n:if="!($forceNoShareLink ?? false)" class="post-share-button" {ifset $thisUser} href="javascript:repostPost('{$post->getPrettyId()}', '{rawurlencode($csrfToken)}')"{/ifset}>
+                    <a n:if="!($forceNoShareLink ?? false)" id="reposts{$post->getPrettyId()}" class="post-share-button" {ifset $thisUser} href="javascript:repostPost('{$post->getPrettyId()}', '{rawurlencode($csrfToken)}')"{/ifset}>
                         {_share}
                         {if $post->getRepostCount() > 0}
-                            (<b>{$post->getRepostCount()}</b>)
+                            (<b id="repostsCount{$post->getPrettyId()}">{$post->getRepostCount()}</b>)
                         {/if}
                     </a>
 
diff --git a/Web/static/js/openvk.cls.js b/Web/static/js/openvk.cls.js
index 49760b7f..0bc9167d 100644
--- a/Web/static/js/openvk.cls.js
+++ b/Web/static/js/openvk.cls.js
@@ -171,8 +171,8 @@ document.addEventListener("DOMContentLoaded", function() { //BEGIN
 async function repostPost(id, hash) {
 	uRepostMsgTxt  = `
     <b>${tr('auditory')}:</b> <br/>
-    <input type="radio" name="type" onchange="signs.setAttribute('hidden', 'hidden');groupId.setAttribute('hidden', 'hidden')" value="wall" checked>${tr("in_wall")}<br/>
-    <input type="radio" name="type" onchange="signs.removeAttribute('hidden');groupId.removeAttribute('hidden')" value="group" id="group">${tr("in_group")}<br/>
+    <input type="radio" name="type" onchange="signs.setAttribute('hidden', 'hidden');document.getElementById('groupId').setAttribute('hidden', 'hidden')" value="wall" checked>${tr("in_wall")}<br/>
+    <input type="radio" name="type" onchange="signs.removeAttribute('hidden');document.getElementById('groupId').removeAttribute('hidden')" value="group" id="group">${tr("in_group")}<br/>
     <select style="width:50%;" id="groupId" name="groupId" hidden>
     </select><br/>
     <b>${tr('your_comment')}:</b> 
@@ -183,6 +183,9 @@ async function repostPost(id, hash) {
     </div>
     <br/><br/>`;
     let clubs = [];
+    repostsCount = document.getElementById("repostsCount"+id)
+    prevVal = repostsCount != null ? Number(repostsCount.innerHTML) : 0;
+
 	MessageBox(tr('share'), uRepostMsgTxt, [tr('send'), tr('cancel')], [
 		(function() {
 			text = document.querySelector("#uRepostMsgInput_"+id).value;
@@ -209,20 +212,25 @@ async function repostPost(id, hash) {
 				else {
 					let jsonR = JSON.parse(xhr.responseText);
                     NewNotification(tr('information_-1'), tr('shared_succ'), null, () => {window.location.href = "/wall" + jsonR.wall_owner});
-				}
+                    repostsCount != null ?
+                    repostsCount.innerHTML = prevVal+1 :
+                    document.getElementById("reposts"+id).insertAdjacentHTML("beforeend", "(<b id='repostsCount"+id+"'>1</b>)") //для старого вида постов
+                }
 			});
 			xhr.send('text=' + encodeURI(text) + '&type=' + encodeURI(type) + '&groupId=' + encodeURI(groupId) + "&asGroup="+encodeURI(asGroup) + "&signed="+encodeURI(signed));
 		}),
 		Function.noop
 	]);
+
     try
     {
         clubs = await API.Groups.getWriteableClubs();
         for(const el of clubs) {
-            document.getElementById("groupId").insertAdjacentHTML("beforeend", `<option value="${el.id}">${el.name}</option>`)
+            document.getElementById("groupId").insertAdjacentHTML("beforeend", `<option value="${el.id}">${escapeHtml(el.name)}</option>`)
         }
+
     } catch(rejection) {
-        console.error("You did not created any groups")
+        console.error(rejection)
         document.getElementById("group").setAttribute("disabled", "disabled")
     }
 }